[UPHPU] receiving with $_REQUEST

Wade Preston Shearer lists at wadeshearer.com
Thu Feb 28 16:56:36 MST 2008


> You defeat the purpose of CSRF by going outside the domain to use the
> script.  CSRF attacks go after already applied authentication by  
> using it
> against the user (using their security auth to do something  
> malicious ).

I wasn't referring to CSRF. I was showing how the shopping cart/ 
MySpace example wasn't a valid reason against using REQUEST as the  
hacker can fake-post to the shopping cart just as east as he can fake- 
get to the shopping cart, both without user interaction.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2425 bytes
Desc: not available
Url : http://uphpu.org/pipermail/uphpu/attachments/20080228/c8167fdd/smime.bin


More information about the UPHPU mailing list